.avif){kind=icon}
🚀 أصبحت CloudSek أول شركة للأمن السيبراني من أصل هندي تتلقى استثمارات منها ولاية أمريكية صندوق
اقرأ المزيد
إلى الخلف
Bluekit Phishing as a Service (PhaaS)
BlueKit is turning phishing into a subscription business, offering 87 ready-made kits, automated account takeover and stealthy peer-to-peer infrastructure. CloudSEK’s investigation reveals how this mature PhaaS platform helps even low-skilled criminals target banks, cloud services and global brands.
June 17, 2026
13
دقيقة
During a proactive dark web monitoring and adversary engagement operation conducted by CloudSek TRIAD, we identified and analyzed an actively operated commercial Phishing-as-a-Service (PhaaS) platform operating under the name BlueKit. Our investigation determined that BlueKit provides a complete phishing infrastructure designed to enable large-scale credential harvesting, session hijacking, and account takeover campaigns targeting financial institutions, cloud providers, cryptocurrency platforms, and major e-commerce services globally.
The platform demonstrates a high level of operational maturity through structured subscription tiers, centralized management dashboards, automated phishing deployment, and integrated anti-detection tooling. BlueKit supports phishing templates for multiple global brands, including banking institutions, Microsoft, Google, Amazon, Apple, GitHub, and cryptocurrency wallets, while also integrating bulk SMS phishing (smishing), real-time Telegram victim notifications, anti-detect browser support, and automated credential post-processing workflows.
A significant finding during our analysis was the platform’s recent migration to a peer-to-peer (P2P) phishing page rendering model, designed to conceal backend phishing infrastructure from browser developer tools and conventional network analysis techniques. This evolution substantially increases resilience against traditional IOC-based detection, phishing-kit fingerprinting, and infrastructure attribution efforts.
Based on our assessment, BlueKit represents a mature, scalable, and commercially optimized cybercriminal ecosystem capable of significantly lowering the technical barrier for low-skilled threat actors while simultaneously increasing operational stealth and persistence. The platform poses a critical threat to enterprise cloud environments, financial institutions, and high-value user accounts globally.
Threat Details
BlueKit operates as a structured cybercriminal SaaS ecosystem with clear indicators of:
- long-term operational planning,
- affiliate enablement,
- infrastructure automation,
- customer support management,
- revenue optimization.
The operators utilize:
- Telegram,
- Jabber/XMPP,
- Session Protocol,
- PGP encryption,
- Tor infrastructure,
- cryptocurrency-only payments.
The platform’s operational structure strongly resembles legitimate SaaS business models, including:
- product versioning,
- changelogs,
- support channels,
- subscription tiers,
- reseller programs,
- automation tooling.
The use of .su infrastructure, Jabber communications, and OPSEC-oriented tooling may suggest links to CIS-aligned cybercrime ecosystems; this attribution is also confirmed by explicit mention of not engaging with CIS based organizations.
Infrastructure Analysis
Clearnet domains: bluekit[.]ws, bluekit[.]cc, bluekit[.]su, bluekit[.]pk
Tor Service: bluekitsmi6sd5mjurh3l7n7oeizbedoe2hw2lsljtb5nbxiul6hzkqd[.]onion.
Complete Database Schema
Full schema extracted from `/_next/static/chunks/111d_ug--1sxq.js`. All 29 tables, columns, enums, and relations were exposed and few of them are :
- Mammoths (Victim Records) : Primary repository of harvested victim data, including credentials and identifiers.
Screenshot of the mammoths(victims) dashboard
- Customers (Operator Accounts): Identifies platform operators and administrators and exposes authentication-related data.
جاجان أغاروال
اشترك في موارد CloudSek
احصل على أحدث أخبار الصناعة والتهديدات والموارد.